Make tctl bots add display the proxy address (#16045)

* Make `tctl bots add` return the proxy address rather than the auth server address

* Remove CA pins from `tctl bots add`

tool/tbot/main.go

@@ -60,7 +60,7 @@ func Run(args []string, stdout io.Writer) error {
 	versionCmd := app.Command("version", "Print the version of your tbot binary")
 
 	startCmd := app.Command("start", "Starts the renewal bot, writing certificates to the data dir at a set interval.")
-	startCmd.Flag("auth-server", "Address of the Teleport Auth Server (On-Prem installs) or Proxy Server (Cloud installs).").Short('a').Envar(authServerEnvVar).StringVar(&cf.AuthServer)
+	startCmd.Flag("auth-server", "Address of the Teleport Auth Server or Proxy Server.").Short('a').Envar(authServerEnvVar).StringVar(&cf.AuthServer)
 	startCmd.Flag("token", "A bot join token, if attempting to onboard a new bot; used on first connect.").Envar(tokenEnvVar).StringVar(&cf.Token)
 	startCmd.Flag("ca-pin", "CA pin to validate the Teleport Auth Server; used on first connect.").StringsVar(&cf.CAPins)
 	startCmd.Flag("data-dir", "Directory to store internal bot data. Access to this directory should be limited.").StringVar(&cf.DataDir)

tool/tctl/common/bots_command.go

@@ -34,7 +34,6 @@ import (
 	"github.com/gravitational/teleport/lib/asciitable"
 	"github.com/gravitational/teleport/lib/auth"
 	"github.com/gravitational/teleport/lib/service"
-	"github.com/gravitational/teleport/lib/tlsca"
 	"github.com/gravitational/teleport/lib/utils"
 	"github.com/gravitational/trace"
 )
@@ -166,9 +165,8 @@ certificates:
 
 > tbot start \
    --destination-dir=./tbot-user \
-   --token={{.token}} \{{range .ca_pins}}
-   --ca-pin={{.}} \{{end}}
-   --auth-server={{.auth_server}}{{if .join_method}} \
+   --token={{.token}} \
+   --auth-server={{.addr}}{{if .join_method}} \
    --join-method={{.join_method}}{{end}}
 
 Please note:
@@ -177,7 +175,7 @@ Please note:
   - /var/lib/teleport/bot must be accessible to the bot user, or --data-dir
     must point to another accessible directory to store internal bot data.
   - This invitation token will expire in {{.minutes}} minutes
-  - {{.auth_server}} must be reachable from the new node
+  - {{.addr}} must be reachable from the new node
 `))
 
 // AddBot adds a new certificate renewal bot to the cluster.
@@ -212,28 +210,16 @@ func (c *BotsCommand) AddBot(ctx context.Context, client auth.ClientI) error {
 		return nil
 	}
 
-	// Calculate the CA pins for this cluster. The CA pins are used by the
-	// client to verify the identity of the Auth Server.
-	localCAResponse, err := client.GetClusterCACert(ctx)
+	proxies, err := client.GetProxies()
 	if err != nil {
 		return trace.Wrap(err)
 	}
-	caPins, err := tlsca.CalculatePins(localCAResponse.TLSCA)
-	if err != nil {
-		return trace.Wrap(err)
+	if len(proxies) == 0 {
+		return trace.Errorf("This cluster does not have any proxy servers running.")
 	}
-
-	authServers, err := client.GetAuthServers()
-	if err != nil {
-		return trace.Wrap(err)
-	}
-	if len(authServers) == 0 {
-		return trace.Errorf("This cluster does not have any auth servers running.")
-	}
-
-	addr := authServers[0].GetPublicAddr()
+	addr := proxies[0].GetPublicAddr()
 	if addr == "" {
-		addr = authServers[0].GetAddr()
+		addr = proxies[0].GetAddr()
 	}
 
 	joinMethod := response.JoinMethod
@@ -248,8 +234,7 @@ func (c *BotsCommand) AddBot(ctx context.Context, client auth.ClientI) error {
 	return startMessageTemplate.Execute(os.Stdout, map[string]interface{}{
 		"token":       response.TokenID,
 		"minutes":     int(time.Duration(response.TokenTTL).Minutes()),
-		"ca_pins":     caPins,
-		"auth_server": addr,
+		"addr":        addr,
 		"join_method": joinMethod,
 	})
 }